CVE-2023-46943

Summary

A critical security flaw is present in the EverShop Web Application in versions prior to 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application. This vulnerability has been fixed by implementing session authentication.